Skip to content
New Report: Get your copy of The 2024 State of the Internet Report! | Download Today
Advisory

April 26, 2024: WordPress Automatic plugin vulnerability exploited for site takeovers CVE-2024-27956

Global Impact (at time of dissemination)

• 300+ publicly-exposed hosts running WordPress Automatic by ValvePress

Top affected countries:
1. US
2. Germany
3. France
4. Netherlands
5. UK


Summary

Censys is aware that on March 21, 2024, a vulnerability in WordPress plugin Automatic by ValvePress – CVE-2024-27956 – that could allow WordPress website takeovers, was published. It has recently been reported that this flaw is currently being exploited by attackers. The issue allows for trivial SQL injection attacks against the plugin’s user authentication process.

Asset Description
WordPress Automatic Plugin by ValvePress
, “posts from almost any website to WordPress automatically.” WordPress plugins are usually 3rd party-developed applications that can be applied to a customer’s WordPress site with minimal to no coding. Such applications require various, and many times deep, accesses to website functionality. Such access can and is often used by attackers when vulnerabilities exist within these 3rd party plugins.

Impact

Progress Flowmon “is used by more than 1,500 companies around the world, including SEGA, KIA, and TDK, Volkswagen….”(Bleepingcomputer).
Potential Consequences of Successful Exploitation
According to WPScan “attackers can exploit it [vulnerability] to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites.” It should be noted that WordPress is often time used as a sole source of online presence and revenue for medium and small businesses; compromises of these sites could be catastrophic for such businesses.

Affected Assets

According to the NVD, this issue affects all versions through 3.92.0.
Censys’ Rapid Response Team was able to identify WordPress Automatic plugin installations on publicly accessible WordPress Servers detected by our scanners. Due to the nature of the plugin, version information is not available and certain configurations might remain hidden due to non-public indexing of webpages, therefore our scans may not capture all unique setups of this plugin.

Censys ASM Query for Exposed Assets.
This query is shared for customers who wish to refine or alter versioning for customized operations.

Censys Search Queries
are shared directly with Censys customers. If you would like to obtain the Censys query to identify global instances related to this issue, or need help, please contact us.

Recommendations for remediation

If you need assistance in positively identifying these assets, please let us know.
Attack Surface Management Solutions
Learn more